TinyDisk: Lessons for Web Applications Builders

At the CTO Breakfast, someone also brought up TinyDisk, a complete, shared filesystem built on to of TinyURL. If you're not familiar with TinyURL, it's a URL mapping service that let's you create a small, easily emailed URL to replace a long complicated one. Nice service that I've used several times.

TinyDisk is a demonstration by Acidus. TinyDisk shows that anything that stores anything on the Web can be used to store something else by encoding the something else into the Web-based storage system. In the case of TinyDisk, it's a Web-based file system that slices up a file, encrypts it, and stores it out on TinyURL.

TinyDisk is a program from saving and retrieving files from TinyURL and TinyURL-like services such as Nanourl. It overlays a write-once-read-many anonymous, persistent and globally shared filesystem. Once something is uploaded, only the database admin can delete it. Everyone can read it. No one can know who created it. Think of it as a magical CD-R that gets burned and placed on a network.

The presentation from Phreaknic describing this is worth looking at. Here are recommendations from the presentation on what to do to prevent your Web application from being repurposed:

Do lots of validation on data you receive form
the user!

Do not allow arbitrary amounts of user

TinURL isn't doing this. The basic idea behind TinyDisk is that it writes an arbitrary amount of information into a
database with an HTTP command and then reads this information out of the HTTP 302 redirects Location header.

This kind of thing isn't new, of course. A file system built on top of GMail has been out for a long time. But, it shows that GMail isn't special and that as soon as you give someone a Web application that stores data, it may not get used for what you want. The presentation also gives tips for writing non-sanctioned extensions:

Write things as generically as possible. Your "API"
is subject to change :­)

Don't try to make any money with your extension
(even Google ads). Theft of service.

Throttle your app to reduce impact on original site.

Contact authors, maybe you can help them.

Don't do it. Get the raw data that site is using for free(US Census, geo surveys, public domain references) and implement your own web app.

In the case of TinyDisk, Acidus wrote a replacement for TinyURL to test against called NanoURL using 2 pages of PHP and a MySQL database.